[ISN] Study: Bug bounty programs provide strong value for vendors

https://www.computerworld.com/s/article/9240675/Study_Bug_bounty_programs_provide_strong_value_for_vendors By Jeremy Kirk IDG News Service July 9, 2013 Paying rewards to independent security researchers for finding software problems is a vastly better investment than hiring employees to do the same work, according to researchers from the University of California Berkeley. Their study looked at vulnerability reward programs (VRPs) run by Google and Mozilla for the Chrome and Firefox web browsers. Over the last three years, Google has paid US$580,000 in rewards, and Mozilla has paid $570,000. In the course of those programs, hundreds of vulnerabilities have been fixed in the widely used products. The programs are very cost effective. Since a North American developer’s salary will cost a company about $100,000 with a 50 percent overhead, “we see that the cost of either of these VRPs is comparable to the cost of just one member of the browser security team,” the researchers wrote. […]